b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n       THE SOCIAL SECURITY\n        ADMINISTRATION\xe2\x80\x99S\n     MONITORING OF POTENTIAL\n            EMPLOYEE\n   SYSTEMS SECURITY VIOLATIONS\n\n     July 2004   A-14-04-23004\n\n\n\n\nAUDIT REPORT\n\x0c                                     Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste, and\nabuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                    Authority\n\nThe Inspector General Act created independent audit and investigative units, called\nthe Office of Inspector General (OIG). The mission of the OIG, as spelled out in the\nAct, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and investigations\n    relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed legislation\n    and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\nTo ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\n\nBy conducting independent and objective audits, investigations, and evaluations, we\nare agents of positive change striving for continuous improvement in the Social\nSecurity Administration's programs, operations, and management and in our own\noffice.\n\x0c                                        SOCIAL SECURITY\nMEMORANDUM\n\nDate:   July 27, 2004                                                                 Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: The Social Security Administration\xe2\x80\x99s Monitoring of Potential Employee Systems Security\n        Violations (A-14-04-23004)\n\n\n        OBJECTIVE\n        Our objectives were to examine the processes that the Social Security Administration\n        (SSA) has in place to review potential employee systems security violations in a timely\n        and proper manner and to limit SSA\xe2\x80\x99s exposure to employee misuse of its systems.\n        We also examined the process used to refer violations to the Office of the Inspector\n        General (OIG).\n\n        BACKGROUND\n\n        In April 2003, we issued an early alert memorandum1 in response to the\n        Commissioner\xe2\x80\x99s concerns as to whether SSA had a process in place to ensure that all\n        potential employee systems security violations were resolved in a timely,\n        comprehensive, and consistent manner. We reported that there were limited controls in\n        place to ensure that potential employee systems security violation and fraud cases were\n        appropriately monitored, reviewed and reported in accordance with SSA\xe2\x80\x99s policy. We\n        initiated this review as part of the OIG\xe2\x80\x99s efforts to assist SSA in improving its security\n        and integrity review process.\n\n        SSA stated in a March 2000 memorandum2 that in June 1998, it established a uniform\n        set of Sanctions for Unauthorized Systems Access Violations (Sanctions) to secure the\n        integrity and privacy of personal information contained in the Agency\xe2\x80\x99s computer\n        systems and to ensure that any violations of the confidentiality of its computer records\n        are treated consistently. This memorandum advised SSA employees of the categories\n\n        1\n          OIG Memorandum, Early Alert: The System Security and Integrity Review Process, A-14-04-24003,\n        April 11, 2003.\n        2\n          Memorandum, Revisions to Sanctions for Unauthorized Systems Access Violations\xe2\x80\x94INFORMATION,\n        March 2, 2002, (as of September 10, 2003).\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nof systems security violations and the minimum recommended sanctions. Table 1\nbelow shows those sanctions for first time offenses. Those sanctions apply for all SSA\nemployees who use or have access to computer systems containing personal data\nabout workers, claimants, beneficiaries, SSA employees or other individuals.\n\nTable 1. Systems Security Violation Category and Sanction\n\n          Category          First Time Offense                                Sanction\n              I    Unauthorized access without                           2-day suspension\n                   disclosure\n                IIA     Disclosure of information to an                  2-day suspension\n                        individual entitled to the information\n                IIB     Disclosure of information to an                  14-day suspension\n                        individual not entitled to the\n                        information\n                III     Unauthorized access for personal                 Removal\n                        gain or with malicious intent\n\nAnnually, all employees are required to read and sign the Acknowledgment Statement\nindicating that they have read and understand the sanctions.3 The Sanctions and\nAcknowledgment Statement have both been incorporated into the Information Systems\nSecurity Handbook. For additional background information, see Appendix B and for our\nscope and methodology, see Appendix C.\n\nRESULTS OF REVIEW\nWe found that SSA has a process in place to review potential employee systems\nsecurity violations and has taken steps to limit its exposure to employee misuse of its\nsystems.4 These steps include, but are not limited to:\n\n            \xe2\x80\xa2    Establishment of the Sanction Penalties;\n            \xe2\x80\xa2    Establishment of policies and procedures for reviewing potential employee\n                 systems security violations in the Information Systems Security\n                 Handbook5 and the Integrity Review Handbook6 (the Handbook);\n            \xe2\x80\xa2    Development of the Comprehensive Integrity Review Process (CIRP)\n                 system to alert managers of potential problems;\n            \xe2\x80\xa2    Efforts to analyze trends in applying sanctions;\n\n3\n  Information Systems Security Handbook, Chapter 21, Sanctions for Unauthorized System Access\nViolations, Attachment: Commissioner\xe2\x80\x99s Memorandum, June 22, 1998.\n4\n  Potential employee systems security violations are defined through out this report as an instance where\nan SSA Manager designates that an employee has committed a potential misuse or potential fraud and\nindicates that further review is required to determine if an administrative action is appropriate.\n5\n  Ibid.\n6\n  Integrity Review Handbook, Release 3, August 2003.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n              \xe2\x80\xa2   Efforts to work with OIG to refer cases to the OIG; and\n              \xe2\x80\xa2   Periodic training and reminders for the reviewers.\n\nWe requested employee systems security sanction cases from all components. Only\nthe Office of Operations (Operations) provided sanction cases for our review. While it is\ntrue that Operations has the majority of employees with access to SSA\xe2\x80\x99s systems, it\nwould seem unlikely that no employee in any other component has committed a\nsystems security violation since September 2000.\n\nWhile we believe that the Agency, and in particular Operations, is making a concerted\neffort to address employee systems security violations, there are areas within the\nintegrity review process that need improvement.\n\nCERTAIN POTENTIAL SECURITY VIOLATION CASES WERE NOT REFERRED TO\nTHE OIG\n\nAs mandated by the Inspector General Act of 1978, the OIG is responsible for\npreventing and detecting fraud and abuse in agency programs and operations.7 The\nOffice of Investigations (OI), within the OIG, protects the integrity of SSA\xe2\x80\x99s programs by\ninvestigating allegations of fraud, waste, and abuse.8 For this reason, such cases\nshould be referred to the OIG early in the administrative sanction development process\nto ensure fulfillment of the OIG\xe2\x80\x99s responsibilities and the effective enforcement of SSA\nand OIG mission.\n\nWe reviewed 308 administratively sanctioned cases at 5 regional offices between\nSeptember 2000 and August 2003. One of the purposes for this review was to\ndetermine how many of these cases should have been referred to the OIG. It is our\nopinion that any unauthorized access of SSA\xe2\x80\x99s systems and data must be considered\npotential fraud until an analysis by OIG personnel determines otherwise. SSA\nadministrative sanctions are in addition to any criminal penalties prescribed by law.\n\nWe found that SSA, and particularly Operations, has a process in place to review\npotential employee systems security violations. Although Operations has taken steps to\nlimit its exposure to employee misuse of its systems, we determined that all 308 cases\nshould have been referred to the OIG for investigation. We found that only 26 of the\n308 administratively sanctioned cases were referred to the OIG. Of the 26 cases,\n17 were referred to us by the Agency. The remaining nine cases were referred to us by\noutside sources. One of the five regions we reviewed did not refer any cases. Although\nSSA\xe2\x80\x99s Program Operations Manual System provides criteria and procedures for\nreferring fraud cases to the OIG, we noted that the Handbook that is used to perform\nintegrity reviews does not clearly specify these criteria or procedures. We believe this\nlack of clarity contributes to the low number of cases referred to OIG.\nSome examples of sanctioned cases that should have been referred are:\n\n7\n    5 U.S.C. App. 3, Section 2.\n8\n    OIG Manual System, OI Special Agent Handbook, Chapter 1, Section 001.020, pages 1-2.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\n    \xe2\x80\xa2   An employee improperly accessed over 1,400 records over a 2-month period.\n        This employee committed a Category III violation and was removed from\n        service.\n\n    \xe2\x80\xa2   An employee accessed the records of clients for their outside tax business. This\n        unauthorized access occurred for 2 years before it was discovered. This\n        employee committed a Category III violation and, as stated in SSA policy,9\n        should have been removed from service; however, the employee resigned upon\n        reaching a settlement agreement with the Agency.\n\n    \xe2\x80\xa2   An employee committed a Category I violation and received a 3-day suspension.\n        After the suspension, SSA management was advised by a friend of the\n        employee on two separate occasions that the employee was suspected of\n        accessing the friend\xe2\x80\x99s personal information. No action was taken by SSA for\n        these allegations. Local law enforcement attempted to arrest the employee at\n        SSA for a domestic dispute involving the friend. SSA informed the OIG of the\n        attempted arrest and the OIG assisted the local law enforcement with the\n        employee\xe2\x80\x99s arrest 5 days later. The arrest for the domestic dispute led to an\n        investigation of systems security violations by SSA and the employee was given\n        a 15-day Category IIA suspension. SSA did not refer the systems security\n        violation case to the OIG.\n\nThe Agency is working with OIG on the case referral procedure. Currently, the Agency\ndoes not refer Category I or II sanction cases unless, in its opinion, potential criminal\nactivity has occurred. However, the OIG believes that, prior to applying administrative\nactions, some level of investigation by our office is warranted for those cases\ndesignated by SSA managers as potential misuse or potential fraud systems security\nviolations.\n\nWe believe that failure to refer cases designated by SSA managers as potential\nsystems security violations for further investigation to OIG undermines the Agency\xe2\x80\x99s\nability to deal appropriately with fraud and abuse. As a result, individuals who\ncommitted serious violations may have escaped our investigation and avoided removal\nand/or prosecution. Some of these individuals may continue to work for SSA, and\nremain in a position that enables additional systems abuses. Several employees, who\ncommitted potentially criminal offenses, were allowed to retire or resign before\nsanctions could be applied. These individuals may have been liable for criminal or civil\npenalties if an investigation had been conducted. As a result, the employees may be\nrehired by the Agency since there is no permanent record showing the prior systems\nsecurity violations; however, criminal and civil prosecution could avoid this outcome.\nAdditionally, criminal and civil penalties could be used to provide a strong deterrent to\n\n9\n Information Systems Security Handbook, Chapter 21, Sanctions for Unauthorized System Access\nViolations, Attachment: Deputy Commissioner for Human Resources Memorandum, page 4,\nMarch 2, 2000.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\nfuture potential systems security violations.\n\nCERTAIN VIOLATIONS WERE NOT ADDRESSED TIMELY IN CONFORMANCE\nWITH THE INTEGRITY REVIEW PROCESS\n\nThe Handbook requires managers to conduct reviews on a daily, weekly or monthly\nbasis depending on the type of review. The CIRP system generates various reports to\nassist and facilitate managers in performing timely reviews. Additionally, Operations\nrecently provided managers with CIRP training on the integrity review process. While\nthe Agency is working diligently to address employee systems security violations, we\nfound cases where an employee\xe2\x80\x99s inappropriate activities were not discovered for an\nextended period of time. These cases suggest that the CIRP reviews need to be\nconducted in a more timely and in-depth manner.\n\nFor example:\n\n    \xe2\x80\xa2   An employee performed 50 unauthorized queries for more than 3 years and\n        disclosed personal information to a co-worker who was committing credit card\n        fraud. When his activity was discovered, this employee was given a 14-day\n        suspension, which is a Category IIB sanction for a first-time access and\n        disclosure offense.\n\n   \xe2\x80\xa2    An employee performed 230 unauthorized queries of the records of friends for\n        more than 3 years and disclosed some of this information to individuals not\n        entitled to the information. This activity was punished as a first-time offense, and\n        the employee was given a 10-workday suspension.\n\n   \xe2\x80\xa2    An employee performed unauthorized queries on relatives over a 4-year period.\n        Upon discovery of this activity, the employee was given a 2-day suspension,\n        which is the sanction for a first-time Category I violation.\n\nBased on documentation currently available, we were not able to determine why these\nactivities went on so long before they were addressed. If CIRP reviews are not\nperformed timely and adequately, employees\xe2\x80\x99 unauthorized use of the systems may\ncontinue undetected and will undermine the Agency\xe2\x80\x99s efforts to protect the integrity and\nprivacy of the personal information contained in its computer systems.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\nNO CENTRALIZED SYSTEM OR PROCESS EXISTS TO TRACK EMPLOYEE\nSYSTEMS SECURITY VIOLATIONS\n\nOffice of Management and Budget (OMB) Circular A-123, Management Accountability\nand Control, states \xe2\x80\x9c\xe2\x80\xa6management controls are the organization, policies, and\nprocedures used to reasonably ensure that programs and resources are protected from\nwaste, fraud, and mismanagement.\xe2\x80\x9d10 SSA does not have an agency-wide centralized\nsystem or process to track employee systems security violations. Operations does\ncompile a cumulative report of all systems security violations since the Sanctions policy\nwas initiated in 1998. This report, however, does not include detailed information such\nas the names or Social Security numbers of the individuals sanctioned. The report is a\nsummary of reports provided by the different regional offices and the Operations\ncomponents at Headquarters, and is used to analyze the systems violation sanction\nprocess. To verify the numbers in the report requires accessing the individual\nsanctioned case folders maintained at the 10 regional offices and Headquarters.\nHowever, based on the information provided at each region, we were still unable to\nreconcile the cumulative report to the listings of systems security violation cases\nprovided by the regional offices because of the lack of detailed information maintained\nin the report.\n\nFor a centralized system to be effective, it should flow from first line managers to their\nlocal security staff to a headquarters component, such as the Chief Security Officer\nwithin the Office of the Chief Information Officer. According to the Agency\xe2\x80\x99s integrity\nreview requirements, the appropriate security staff should be contacted for assistance\nafter the reviewer determines that a potential violation exists.11 We found the managers\ndid not always contact the appropriate security staff upon discovery of potential security\nviolations. As a result, the reviewers are not always appropriately counseled in\ndetermining whether further action is necessary or whether the cases should be sent to\nOIG.\n\nBecause a centralized system does not exist, managers cannot be certain whether an\nemployee has committed any prior systems security violations. Therefore, penalties for\nrepeat offenders may not be applied appropriately, particularly if the employee has\nchanged offices or regions. Additionally, it is difficult to properly safeguard the\ninformation entrusted to the Agency without a centralized system. Furthermore, all\npotential systems security violations should be input into such a system so they can be\ntracked from discovery to resolution.\n\nWe believe the Agency\xe2\x80\x99s security staff should receive all potential violation cases from\nthe managers. In addition, SSA should develop an agency-wide centralized system or\nprocess with the potential violation information included by the appropriate security staff.\nSSA could consider expanding the current reporting process used by Operations to the\nentire Agency and ensure that all necessary information is included.\n10\n   OMB Circular A-123, Management Accountability and Control, Section 2. Policy, as revised\npage 1, June 21, 1995.\n11\n   Integrity Review Handbook, Release 3, Chapter 1, Query Review, page 4, August 2003.\n\x0cPage 7 \xe2\x80\x93 The Commissioner\n\n\nSANCTION DOCUMENTATION WAS NOT LOCATED FOR ALL CASES\n\nAccording to OMB, \xe2\x80\x9c...systematic attention to the management of government records is\nan essential component of sound public resources management which ensures public\naccountability.\xe2\x80\x9d12 An effective integrity review system requires that adequate\ndocumentation be maintained.\n\nWe requested all 308 Official Personnel Folders (OPF) from SSA and received\ndocumentation as follows:\n\n       \xe2\x80\xa2   245 had the appropriate documentation;\n       \xe2\x80\xa2   24 did not contain SF-50 forms corresponding to the imposed sanctions as\n           required by Office of Personnel Management policy;13\n       \xe2\x80\xa2   22 were not located for employees who were separated from service. These\n           folders had been sent to the National Personnel Records Center in St. Louis,\n           Missouri, 30 days after the employees separated from Federal service; and\n       \xe2\x80\xa2   17 were not located.\n\nSF-50s were not provided for 63 of the 308 cases reviewed. These forms are placed in\nthe OPF as a permanent record of actions for promotion, reassignment, suspension,\nand return to duty. Without this documentation, SSA has no permanent record showing\nthat these employees had been previously sanctioned.\n\nAccording to the records management regulations developed by the National Archives\nand Records Administration, Adverse Action Files (AAF) should be destroyed no sooner\nthan 4 years, but no later than 7 years after the case is closed.14 An AAF is compiled\nwhen agencies impose an adverse or performance-based action against an employee\nand contains all the information related to the suspension or removal. OPFs and AAFs\nare maintained by the personnel department within the Office of Human Resources.\nWe requested all 308 AAFs from the Agency, but 10 could not be located. Without\nproper documentation from the AAFs, the Agency does not have the evidence needed\nfor due process.\n\n\n\n\n12\n   OMB Circular A-130, Management of Federal Information Resources, Revised (Transmittal\nMemorandum No. 4), section 7.h., page 5, November 30, 2000.\n13\n   Office of Personnel Management Operating Manual, The Guide to Processing Personnel Actions,\nApril 6, 2003, section 1-3b(3), (as of March 9, 2004).\n14\n   National Archives and Records Administration, General Records Schedule 1 (Transmittal\nMemorandum No. 11), Civilian Personnel Records, Section 30.b, December 2003 (as of March 9, 2004).\n\x0cPage 8 \xe2\x80\x93 The Commissioner\n\nCONCLUSIONS AND RECOMMENDATIONS\nSSA, and particularly Operations, is proactive in its efforts to prevent and uncover\npotential employee systems security violations. This includes the establishment of\npolicies and procedures, the development of the CIRP system, efforts to work with the\nOIG, and refresher training for the reviewers. While the Agency has integrity review\npolicies and procedures in place, there are areas within the integrity review process that\nrequire improvement.\n\nTo strengthen SSA\xe2\x80\x99s integrity review process and reduce its vulnerability to employee\nsystems security violations, we recommend SSA:\n\n1. Establish policies and procedures on retaining all supporting documentation for\n   potential misuse or potential fraud employee systems security violations, as\n   identified by SSA managers as needing further investigation, so that resolutions are\n   accessible and verifiable.\n\n2. Maintain supporting documentation for all potential misuse or potential fraud\n   employee systems security violations, as identified by SSA managers as needing\n   further investigation, to ensure appropriate and consistent sanctions are applied\n   within the Agency.\n\n3. Provide OIG with periodic access to the potential misuse or potential fraud employee\n   systems security violations, as identified by SSA managers as needing further\n   investigation, to assess the information for potential criminal activity.\n\n4. Continue to ensure all integrity reviews are conducted in a more timely and in-depth\n   manner.\n\nAGENCY COMMENTS AND OIG RESPONSE\nIn response to our draft report, SSA agreed with our recommendations and is in the\nprocess of implementing them. The Agency raised several points as other matters,\nwhich we have taken under consideration and incorporated where appropriate. We\ncommend SSA for its efforts to protect the valuable information entrusted to the Agency\nand maintain the integrity of its workforce. See Appendix E for the text of SSA\xe2\x80\x99s\ncomments.\n\n\n\n\n                                             S\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background\n\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX D \xe2\x80\x93 Sanction Cases Reviewed for Systems Security Violations\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\nAcronyms\nAAF          Adverse Action File\nAct          The Social Security Act\nCIRP         Comprehensive Integrity Review Process\nCSI          Center for Security and Integrity\nDSSPI        Division of Systems Security and Program Integrity\nHandbook     Integrity Review Handbook\nOI           Office of Investigations\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nOperations   Office of Operations\nOPF          Official Personnel Folder\nPOMS         Program Operations Manual System\nSanctions    Sanctions for Unauthorized Systems Access Violations\nSF-50        Notification of Personnel Action Form\nSSA          Social Security Administration\nSSN          Social Security Number\nU.S.C.       United States Code\n\x0c                                                                           Appendix B\nBackground\nThe Privacy Act of 1974,1 the Computer Fraud and Abuse Act,2 the Computer Security\nAct of 1987,3 the Office of Management and Budget Circulars A-123 and A-130,\nAppendix III, plus many other laws, guidelines and memoranda provide a body of\nregulations requiring the proper security of all automated information systems\nresources, including data.\n\nThe Privacy Act of 1974 prohibits the disclosure of personal information about an\nindividual without prior written consent. Section 1106 of the Social Security Act (Act)4 in\naccordance with the Computer Security Act of 1987 focuses on protecting the\nconfidentiality of information in Government records. This section of the Act states that\nno file, record, report, paper, or other information obtained at any time from any person\nmay be disclosed except as provided by regulations from the Act or other applicable\nlaws.\n\nIn June 1998, the Social Security Administration (SSA) established a uniform set of\nSanctions for Unauthorized Systems Access Violations5 (Sanctions) to secure the\nintegrity and privacy of the personal information contained in the Agency\xe2\x80\x99s computer\nsystems and to ensure that any violations of the confidentiality of its computer records\nare treated consistently.\n\nManagers are the primary lines of defense against employee systems security\nviolations. SSA\xe2\x80\x99s Integrity Review Handbook outlines the procedures for managers\nwhen they conduct integrity reviews. In an effort to prevent and uncover potential\nemployee systems security violations, SSA developed the Comprehensive Integrity\nReview Process (CIRP), a mainframe and Intranet based management tool to monitor\nspecific SSA systems activity for potential fraud or misuse by employees. CIRP uses\npredetermined criteria to select certain queries input by employees and generates\nreports for review by management.\n\nThe manager determines whether the queries are considered: 1) No Problem;\n2) Potential Violation \xe2\x80\x93 Misuse; 3) Potential Violation \xe2\x80\x93 Fraud; or 4) Not-Certified \xe2\x80\x93\nInvestigation Pending. CIRP reviews must be completed and certified in a certain\nperiod of time depending on the type of review. For example, CIRP query reviews need\nto be completed and certified by the end of each month. If a potential security violation\n(misuse or fraud) is identified, the appropriate security staff6 must be contacted to\n1\n  5 United States Code (U.S.C.) 552a (b).\n2\n  18 U.S.C \xc2\xa7 1030.\n3\n  Public Law 100-235.\n4\n  42 U.S.C. \xc2\xa7 1306.\n5\n  Information Systems Security Handbook, Chapter 21, Attachment: Commissioner\xe2\x80\x99s Memorandum,\nJune 22, 1998.\n6\n  Integrity Review Handbook, Release 3, Chapter 1, Query Review, page 4, August 2003.\n\n\n                                              B-1\n\x0cadvise managers on the appropriate action to be taken. While the information in the\nCIRP query system is retained for a short period of time, the history of employees is\nmaintained in the Audit Trail System for 7 years. The Audit Trail System is designed to\nprovide SSA security officers with the capability to monitor SSA data entry activities\nnationwide.\n\nPRIOR REVIEWS\n\n\xe2\x80\xa2   Analysis of Social Security Number Misuse Allegations Made to the Social Security\n    Administration\xe2\x80\x99s Fraud Hotline (A-15-99-92019) dated August 1999. This report\n    identified the different types of Social Security number (SSN) misuse allegations and\n    estimated the number of occurrences for each category during the period of\n    October 1, 1997 through March 13, 1999.\n\n\xe2\x80\xa2   Referring Potentially Fraudulent Enumeration Applications to the Office of the\n    Inspector General (A-14-03-23052) dated March 2003. This report discussed the\n    extent that SSA referred potentially fraudulent SSN applications to the OIG for\n    investigation.\n\n\xe2\x80\xa2   Management Advisory Report: Sensitive Data Accessible on the Social Security\n    Administration Intranet (A-14-04-24036) dated September 2003. This report\n    identified sensitive personal information of OIG, SSA, State and contractor\n    employees and beneficiaries improperly accessible on the Agency\xe2\x80\x99s Intranet.\n\nWe are currently performing audits of SSA\xe2\x80\x99s regional office procedures for addressing\nemployee-related allegations in each of SSA\xe2\x80\x99s 10 regions. These audits include\nemployee-related allegations of all types except systems security violations.\n\n\n\n\n                                           B-2\n\x0c                                                                      Appendix C\nScope and Methodology\nOur objectives were to examine the processes that the Social Security Administration\n(SSA) has in place to review potential employee systems security violations in a timely\nand proper manner and to limit the Agency\xe2\x80\x99s exposure to employee misuse of its\nsystems. We also examined the process used to refer violations to the Office of the\nInspector General (OIG). Our review was based on the understanding that the Agency\nprovided us with all the systems security violation cases for the regions selected and the\nperiod reviewed. Our analysis was limited by our reliance on the Agency\xe2\x80\x99s decision on\nwhether a systems access was unauthorized and in violation of SSA\xe2\x80\x99s policies.\n\nTo meet our objectives, we examined reports of potential misuse or potential fraud\nemployee systems security violations, as designated by SSA managers needing further\nreview for all SSA components. We requested systems security violation sanction\ncases from all components Only the Office of Operations (Operations) provided\nsanction cases for review. They provided all the systems security violation cases that\noccurred between September 2000 and August 2003 in five regions (New York,\nPhiladelphia, Dallas, Atlanta and San Francisco) and at SSA Headquarters. Other SSA\nHeadquarter Offices provided information on potential systems security violations but\nhad no actual sanction cases during that timeframe. While it is true that Operations has\nmost of the employees with access to SSA\xe2\x80\x99s systems, it would seem unlikely that no\nemployee in any other component has committed a systems security violation since\n2000.\n\nWe received 308 cases from the 5 regions listed. For each case, we examined the\nOfficial Personnel Folder and the Adverse Action File to determine whether the Agency\napplied its sanction policy with consistency and timeliness. We compared all of these\ncases to the Office of Investigations\xe2\x80\x99 Allegation and Case Investigation System to\ndetermine whether these cases were referred to OIG for investigation. We confirmed\nthe Social Security number or the name, regional location, and the time period of the\noffense. Additionally, we verified these cases with the five respective Centers for\nSecurity and Integrity (CSI) offices. We also:\n\n1. Reviewed the following criteria:\n\n      \xc2\x83   Office of Management and Budget (OMB) Circular A-123, Management\n          Accountability and Control;\n      \xc2\x83   OMB Circular A-130, Management of Federal Information Resources;\n      \xc2\x83   Office of Personnel Management and National Archives and Records\n          Administration\xe2\x80\x99s guidance on personnel records;\n      \xc2\x83   SSA\xe2\x80\x99s Information Systems Security Handbook;\n      \xc2\x83   SSA\xe2\x80\x99s Program Operations Manual System; and\n      \xc2\x83   SSA\xe2\x80\x99s Integrity Review Handbook.\n\n\n\n                                           C-1\n\x0c2. Interviewed representatives from SSA\xe2\x80\x99s:\n\n      \xc2\x83    Operations, Office of Public Service and Operations Support, and Division of\n           Systems Security and Program Integrity (DSSPI). DSSPI monitors integrity\n           reviews in the regions and the processing centers to ensure the reviews are\n           performed timely and consistently;\n      \xc2\x83    Office of Systems Security Operations Management, which has national\n           oversight of the integrity review process;\n      \xc2\x83    Office of Systems, Integrity Systems Development Branch, to further\n           understand the Comprehensive Integrity Review Process;\n      \xc2\x83    Baltimore District Office to understand how SSA\xe2\x80\x99s policy and procedures were\n           implemented in the local offices;\n      \xc2\x83    Office of Central Operations CSI staff to understand the CSI\xe2\x80\x99s functions and\n           role in the integrity review process; and\n      \xc2\x83    Office of Labor Management and Employee Relations staff to understand the\n           application of administrative sanctions in respect to systems security\n           violations.\n\n3. Visited the:\n\n       \xc2\x83   Five regional offices listed previously, and\n       \xc2\x83   The Baltimore Downtown District Office.\n\nWe reviewed the integrity review process for employee systems security violations for\nthe entire Agency. We performed our field work in SSA Headquarters and selected\nregions from April 2003 to March 2004. We determined that the data used in this report\nwas sufficiently reliable to meet our audit objectives and intended use of the data. We\ndetermined that our use of this data should not lead to an incorrect or unintentional\nmessage. We conducted our review in accordance with generally accepted government\nauditing standards.\n\n\n\n\n                                            C-2\n\x0c                                                                      Appendix D\nSanction Cases Reviewed for Systems Security\nViolations\n\n                                      Cases Referred to OIG by SSA\n Social Security       Number of\n Administration          Cases                     Offenses\n    Region             Reviewed\n                                            Cat.    Cat.\n                                   Cat. I   IIA     IIB    Cat. III    Total\n\nNew York                  76         0       0        0       0         0\n\n\nPhiladelphia              72         1       0        1       2         4\n\n\nAtlanta                   67         0       1        0       7         8\n\n\nDallas                    45         1       1        0       0         2\n\n\nSan Francisco             48         1       0        0       2         3\n\n\n               Total      308        3       2        1       11        17\n\x0c                  Appendix E\nAgency Comments\n\x0c                                       SOCIAL SECURITY\n\n\nMEMORANDUM                                                                      106-24-1067\n\n\nDate:      July 8, 2004                                                         Refer To: S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Acting Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Monitoring of Potential Employee System Security Violations\xe2\x80\x9d (A-14-04-23004)\xe2\x80\x94\n           INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report are\n           attached.\n\n           Please contact me if you have any questions. Staff questions may be referred to Candace\n           Skurnik, Director of the Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment\n\n\n\n\n                                                        E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S (OIG) DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S MONITORING OF POTENTIAL\nEMPLOYEE SYSTEM SECURITY VIOLATIONS\xe2\x80\x9d (A-14-04-23004)\n\nThank you for the opportunity to provide comments on this OIG draft report. We appreciate the\nreport\xe2\x80\x99s recognition of the numerous processes in place at SSA for reviewing potential employee\nsystems security violations, as well as the steps the Agency has taken to limit exposure to any\nviolations. The actions cited in our comments demonstrate our ongoing commitment to making\nimprovements in this important area, including continued cooperation with the OIG to address\nthe issues raised in this OIG report.\n\nRecommendation 1\n\nEstablish policies and procedures on retaining all supporting documentation for potential misuse\nor potential fraud employee systems security violations, as identified by SSA managers as\nneeding further investigation, so that resolutions are accessible and verifiable.\n\nRecommendation 2\n\nMaintain supporting documentation for all potential misuse or potential fraud employee systems\nsecurity violations, as identified by SSA managers as needing further investigation, to ensure\nappropriate and consistent sanctions are applied within the Agency.\n\nComment\n\nWe agree with the intent of recommendations 1 and 2, and we believe our present policies and\nprocedures require reasonable retention of documentation necessary for ensuring effective\nresolution of and consistent application of sanctions for such cases. We will issue reminders as\nneeded to management concerning these policies and procedures to assure that adequate\ndocumentation is maintained.\n\nRecommendation 3\n\nProvide OIG with periodic access to the potential misuse or potential fraud employee systems\nsecurity violations, as identified by SSA managers as needing further investigation, to assess the\ninformation for potential criminal activity.\n\nComment\n\nWe agree with this recommendation. Allowing OIG access to documentation concerning\npotential violations will allow OIG to assess the potential for criminal activity without unduly\ndelaying local management\xe2\x80\x99s review of potential violations.\n\nCurrently, the SSA Office of Operations refers the cases listed below to OIG for review for\npossible investigation for criminal activity before any administrative action is taken on potential\nviolation cases:\n\n                                                E-2\n\x0c   -   All Category III cases (unauthorized access for personal gain or with\n       malicious intent);\n   -   All Category I cases (unauthorized access without disclosure); and\n   -   Category IIA and Category IIB cases (unauthorized access with disclosure), where there\n       exists, in management\xe2\x80\x99s opinion, possible criminal activity or intent.\n\nThe Agency will provide OIG\xe2\x80\x99s Office of Investigations (OI) six months of data for those cases\nwhere administrative action has already occurred. We have provided OI the requested\ninformation for the period January 2004 through March 2004. We will provide information for\nApril 2004 through June 2004 in July 2004. Following review by OI, the SSA Office of\nOperations and OIG will reevaluate the referral process to determine if any modifications are\nnecessary. We will also consider whether all potential sanctions cases should be referred to OIG\nprior to taking administrative action.\n\nRecommendation 4\n\nContinue to ensure all integrity reviews are conducted in a more timely and in-depth manner.\n\nComment\n\nWe agree with this recommendation, and recognize the importance of timely and thorough\ninvestigation and resolution of Comprehensive Integrity Review Process (CIRP) reviews. We\ncurrently devote significant amounts of time and resources to monitor accurate and timely\ncompletion of CIRP alerts.\n\n[In addition to the items listed above, SSA also provided technical comments which\nhave been addressed, where appropriate, in this report.]\n\n\n\n\n                                              E-3\n\x0c                                                                       Appendix F\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audits Division (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-719\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Pat Kennedy, Audit Manager, Mainframe Controls and Advanced Techniques\n\n   Mary Ellen Fleischman, Senior Program Analyst\n\n   Harold Hunter, Senior Auditor\n\n   Greg Thompson, Senior Auditor\n\n   Grace Chi, Auditor\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 966-1375.\nRefer to Common Identification Number A-14-04-23004.\n\x0c                           DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\nHouse of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"